When you work in IT, nothing is worse than being impacted by a cyberattack.
If you’ve been there, you know. You sit, staring at the screen of your workstation, with a single thought pulsing through your head on repeat: “I should never have agreed to switch my on-call to this weekend.”
An hour earlier, the first signs of trouble came in: an escalated ticket that the production database servers seemed like they dropped offline. You quickly confirmed that the systems couldn’t be accessed through remote desktop. “Not a problem,” you thought as you accessed the URL for the lights-out interface that enables remote control of even completely crashed servers. You entered your Active Directory credentials on the web page and… no access.
You started to get really concerned. Escalated tickets started to collect in your email inbox, which fortunately (or perhaps unfortunately, you thought to yourself) remained unaffected. You decided to log into a domain controller and entered your Domain Admin credentials — and waited. And waited. And waited. Finally, you saw confirmation of what you already knew to be true: “Your personal files are encrypted!”
Shaking yourself from your reverie, you start to mentally prepare for what will no doubt be one of the least pleasant experiences of your career. You dial into the war room bridge and think to yourself, “What could I have done to prevent this if I could travel back in time?”
Imagining the “impossible”
We all hope that we never have to deal with the aftermath of a calamitous attack. Fortunately, the odds are decent you never will. Many people avoid thinking about it, trusting that they will simply cross that bridge when they come to it.
But there is value to really thinking through the realities of a cyberattack. The Stoic philosophers famously practiced something called “memento mori,” which literally means to remember one’s own mortality. But in practice, it does not mean to grimly anticipate our fate, but rather to recontextualize our present. It is a reminder that at the end, we would give anything to have what we have now.
Similarly, it is worth predicting the ramifications of a cyberattack on your organization. After all, what wouldn’t the poor engineer in the scenario above give to be able to go back in time and disrupt that attack?
In this post, we will discuss in broad terms how an attack can be disrupted during three main phases: prior to the attack, during the attack and after the attack.
Prior to an attack
When most people think of disrupting a cyberattack, they focus on preventing it. And that is absolutely correct! Every metaphorical dollar that we spend on defense is worth orders of magnitude more than the money spent battling an attack in progress or recovering from one. (Just don’t become so focused on preventing an attack that you neglect planning for the two later phases.)
Implementing effective defensive postures across all IT is a broad topic that encompasses everything from email hygiene to endpoint management to network firewalls. Here are three principles to keep in mind that are proven to reduce the risk of a successful cyberattack.
Trust no one
Don’t envision your organization as a castle, but instead like a bazaar. In other words, a well-protected organization is no longer focused on keeping the bad guys out via digital walls and moats, but rather accepts the reality that most organizations will have a constant flow of external devices, users and data that are interacting with the organization. This constant activity blurs the line between “inside” and “outside” such that you can’t trust anything that is happening in your network. The security term for this is Zero Trust, but in practice it means there is no longer an inner courtyard surrounded by walls for attackers to breach. Instead, users and devices need to be continuously evaluated for risk based on their behavior and their access dynamically curtailed based on that behavior.
Constantly evaluate
Maintaining proper security hygiene is a process, not a project. Microsoft’s 2022 Digital Defense Report includes a wild statistic: 98% of attacks can be thwarted by adhering to basic security hygiene. So, it’s simple, right? Run a project to implement good hygiene practices. Add multifactor authentication (MFA) to (at least) your administrative accounts. Distribute privileged access workstations (PAWs) to your administrative staff. Hire penetration testers to find weaknesses in your armor.
But treating security hygiene like a project with an end date and deliverable doesn’t go far enough. If we think of your organization’s IT environment like the aforementioned bustling bazaar, we know that it is in a constant state of change and entropy. As soon as the project is complete, the security hygiene will begin to become not-so-hygienic.
Instead, security hygiene should be treated as part of the normal operational charter of an organization. It’s essential to constantly compare the current environmental state to best practices, constantly reevaluate those best practices and constantly nudge the environment closer to best practices.
Prioritize the choke points
One of the brutal truths of defending your organization from cyberattack is that you must be effective every time, while adversaries need to get it right just once. Most IT organizations have many thousands of pathways that an attacker could use to get what they want, and it’s impossible to mitigate each one individually.
Rather than playing Whac-A-Mole trying to mitigate every potential method an attacker could use, focus on strategies that render entire categories of attacks useless by mitigating their choke points. For example, a computer used by an administrator could be compromised in a multitude of ways: a spear-phishing campaign, a supply chain attack, a malicious wireless access point and so on. As defenders, we could work to find mitigating strategies for each of these issues, as well as each new one that comes up.
Or we could use a more effective approach and require administrators to use only privileged access workstations. PAWs are immune to email attacks because they aren’t allowed to connect to an email server; they are immune to supply chain attacks because only cryptographically verified software is installed; and they are reimaged after any connection to an untrusted network. Accordingly, using PAWs eliminates entire categories of attacks with a single strategy.
During the attack
No matter how much work we put into building an effective cyber defense strategy is, we must assume it will fail. We must assume that an attacker will get it right that one time and gain a foothold in our environment.
And when that happens, every moment matters. But with effective planning for defending against an attack in progress, we can limit the ability of adversaries to achieve their goals. Here are two principles to keep in mind with regard to disrupting an attack in progress.
Mind your signals
The first principle is to make sure that you can detect attacks. There are many tools that can provide close to real-time information about activity in your environment. You should have detection capabilities in at least these three areas:
- Network
- Endpoint
- Identity
The solutions that you deploy should be specific to the platforms you have deployed in these areas so they will account for their particular vulnerabilities. For instance, if your user workstations mostly run macOS, it would be wise to invest in endpoint security solutions that focus on that operating system. The architecture of macOS is quite different from Windows or Linux, and you will get better, more actionable alerts using tools specific to it. Similarly, if Active Directory is still the primary on-premises identity method for many of your systems, it is important to invest in detection capabilities that specialize in AD.
This strategy may be counterintuitive. Many organizations look for a single solution that can cover a breadth of systems to gain benefits such as minimizing integration complexity and challenges in dealing with different vendors. But ultimately, capability outweighs the benefits of the one-size-fits-all approach; it is far more important to have the most comprehensive, concise and actionable signals. Clear information is what enables you to uncover problems before it’s too late to respond effectively.
Practice your response
Planning and practicing your response to different security situations is vital to disrupting attacks in progress. An attack is never the right time to be figuring things out, doing research or trying to find the right authority in your organization to chart a response.
Instead, runbooks should be drawn up in advance that outline the response to various malicious activity. This may seem a daunting prospect, but resources like MITRE’s ATT&CK matrix can be used to understand attackers’ tools, techniques and procedures that need to be planned for.
Critically, this planning should include the chain of communications needed to make sure that proper teams are informed to take countermeasures, as well as informing business stakeholders. Note that the latter need only be informed — having pre-vetted and agreed-upon runbooks empowers responsible parties to execute countermeasures without waiting for executive sign-off during an attack.
Response playbooks need to cross information technology silos. For instance, if endpoint detection and response software reports that an identity administrator’s laptop was compromised, a reasonable response might be to deactivate that administrator’s identities immediately. Responding to threats across security silos in an effective manner is the point behind extended detection and response (XDR) software, but that is simply a way to automate something that any organization can do. The important thing is to define the response and practice the playbook because during an attack, every minute matters.
After the attack
We don’t often think of being able to disrupt an attacker after they have successfully infiltrated an organization. One might imagine that is game over, with nothing left to do but try to recover as best as possible and move on.
But this isn’t always the reality of a cyberattack.
First, being attacked isn’t an all or nothing proposition. Attacks do not always affect the entire network, either because attackers were not able to do so or didn’t choose to do so. Portions of your IT organization may be unaffected, or affected only because they depend on other parts that were compromised.
Second, in the event of a ransomware attack, the attacker’s goal is often be to extract a financial ransom from the organization. Paying a ransom is expensive and embarrassing, of course, but it also puts the organization at future risk: Attackers who know that your organization paid once are likely to try to breach your organization again to get you to pay again. By having the ability to recover effectively and efficiently, your organization can often deny your attackers a significant portion of their goal.
More broadly, having the ability to efficiently restore IT operations gives you options. It gives you the option of not having to pay to decrypt the systems affected by ransomware. It gives you the option to roll systems back to a known good state to curtail further adversarial activity.
Focus on the workloads
The key to an effective recovery strategy, a strategy that can be deployed confidently post-attack, is to focus on the workloads and how they interact with each other. Too often, it is easy to think of recovery at the enterprise platform level. Think of the platform, such as Windows Server, as a cardboard box, and your organization’s workloads as the contents of that box. The theory goes that if we can back up and restore the box, then we get the contents back.
Reduce your AD attack surface.
To an extent that is true, but this approach to recovery ignores the modern reality of information technology. Restoring entire servers is not just time- and effort-intensive — there is an excellent chance that you are restoring the reason you are recovering to begin with, such as malware, ransomware or compromised systems. Furthermore, many workloads today are being delivered as a cloud service. Backing up and restoring servers does you little good if all your Entra ID objects and configurations have been hard deleted through a script.
Take stock of your workloads. Understand how they interact with each other. Develop recovery strategies specific to each key system, and test recoveries of systems in different configurations. Be confident in how long recovery is going to take and how different systems with different dependencies will interact.
By having an atomic, workload-focused recovery strategy, you will have options to limit the damage and return your environment to production.
In conclusion
Defending your organization from cyberattack is a huge topic, and as it is so often, the devil is in the details. But the main takeaway is this: It’s critical to implement the right strategies for before an attack, during an attack and after an attack. Don’t attempt to figure this out when you are under pressure. There is no silver bullet for security. Improving your cybersecurity and cyber resilience requires a coordinated ballet of platforms, tools and processes.
